{"id":25065471,"url":"https://github.com/spydisec/spydithreatintel","last_synced_at":"2025-05-07T19:24:07.273Z","repository":{"id":272685911,"uuid":"917431691","full_name":"spydisec/spydithreatintel","owner":"spydisec","description":"A repository dedicated to sharing Indicators of Compromise (IOCs) from production systems experiencing security incidents and OSINT feeds.","archived":false,"fork":false,"pushed_at":"2025-05-03T15:15:17.000Z","size":499101,"stargazers_count":7,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-05-03T15:25:38.412Z","etag":null,"topics":["blocklist","c2","commandandcontrol","cybersecurity","honeypot","indicator-of-compromise","ioc","ioc-feed","iocfeed","malware","osint","pihole","threat-hunting","threat-intel","threat-intelligence"],"latest_commit_sha":null,"homepage":"","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/spydisec.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2025-01-16T01:07:29.000Z","updated_at":"2025-05-03T15:15:22.000Z","dependencies_parsed_at":"2025-01-16T02:24:33.944Z","dependency_job_id":"17837c27-54d5-4221-bb72-a070246fe8b7","html_url":"https://github.com/spydisec/spydithreatintel","commit_stats":null,"previous_names":["spydisec/spydithreatintel"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/spydisec%2Fspydithreatintel","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/spydisec%2Fspydithreatintel/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/spydisec%2Fspydithreatintel/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/spydisec%2Fspydithreatintel/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/spydisec","download_url":"https://codeload.github.com/spydisec/spydithreatintel/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":252942134,"owners_count":21829011,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["blocklist","c2","commandandcontrol","cybersecurity","honeypot","indicator-of-compromise","ioc","ioc-feed","iocfeed","malware","osint","pihole","threat-hunting","threat-intel","threat-intelligence"],"created_at":"2025-02-06T19:27:14.501Z","updated_at":"2025-05-07T19:24:07.257Z","avatar_url":"https://github.com/spydisec.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003cdiv align=\"center\"\u003e\n \u003ch1\u003eSpydi's ThreatIntel Feed 🛡️\u003c/h1\u003e\n\n ![GitHub repo size](https://img.shields.io/github/repo-size/spydisec/spydithreatintel) ![Daily IP List Update](https://healthchecks.io/b/2/58a455ee-d4bb-4081-bca4-0944d3594556.svg) ![Daily C2 Feed Update](https://healthchecks.io/b/2/ad6b7683-29fc-49f4-95d1-70c169e3d8e4.svg) ![Daily Domain List Update](https://healthchecks.io/b/2/9ef2114a-9a4f-4f73-9361-36fa22fd9ea7.svg) ![Daily ThreatFox IP List Update](https://healthchecks.io/b/2/df0b45c9-03bb-416e-9cff-97952285a9b4.svg) ![Daily Maltrail IP List Update](https://healthchecks.io/b/2/21cee47c-1c6c-48aa-a92b-5197170e9610.svg)\n\u003c/div\u003e\n\n## 🚀 About This Project\n\nSpydi's ThreatIntel Feed is a comprehensive threat intelligence platform that aggregates, curates, and maintains high-quality blocklists for malicious IPs and domains. The system combines data from multiple OSINT sources, honeypot networks, and threat intelligence feeds to provide actionable security data.\n\n### Key Features:\n- **Automated Updates**: Daily refresh of IP and domain blocklists\n- **Multi-Source Intelligence**: Aggregates data from 12+ trusted OSINT feeds\n- **Smart Filtering**: Implements whitelisting to minimize false positives\n- **Threat Coverage**: Tracks 50+ threat actors and their infrastructure\n- **CDN-Aware**: Special handling for CDN networks to prevent service disruption\n- **Reference Analysis**: Cross-references removed IPs with OSINT feeds for validation\n\n### Use Cases:\n- Network security monitoring\n- Firewall rule generation\n- Threat intelligence integration\n- Security research and analysis\n- Malware infrastructure tracking\n\n## Table of Contents\n- 🔥[IP Blocklists](https://github.com/spydisec/spydithreatintel?tab=readme-ov-file#-ip-blocklists)\n- 🌐[Domain Blocklists](https://github.com/spydisec/spydithreatintel?tab=readme-ov-file#-domain-blocklists)\n- 📦[Permanent Blocklists](https://github.com/spydisec/spydithreatintel?tab=readme-ov-file#-permanent-blocklists)\n- 📁[Whitelist Files](https://github.com/spydisec/spydithreatintel?tab=readme-ov-file#-whitelisting)\n- 🕵️[Tracked Threats \u0026 Source list](https://github.com/spydisec/spydithreatintel?tab=readme-ov-file#%EF%B8%8F-tracked-threats--source-list)\n- 🙌[Acknowledgements](https://github.com/spydisec/spydithreatintel?tab=readme-ov-file#-acknowledgements)\n- 🤝[Community Contributions](https://github.com/spydisec/spydithreatintel?tab=readme-ov-file#-community-contributions)\n- 📡[Contact me](https://github.com/spydisec/spydithreatintel?tab=readme-ov-file#-contact-me)\n\n---\n## 📋 Blocklists \n### 🔥 IP Blocklists \n| Blocklist Name | File Name | Description | False Positive Risk | Blocklist URL |\n|----------------------|---------------------------------|-----------------------------------------------------------------------------|----------------------|-------------------------------------------------------------------|\n| **Master IP Blocklist** | `master_malicious_iplist.txt` | Raw aggregated IPs from 12+ OSINT feeds (unfiltered) | **High** | [📥 Direct](https://spydisec.com/master_malicious_iplist.txt) |\n| **Main IP Blocklist** | `filtered_malicious_iplist.txt` | Curated IPs with whitelisting applied for minimal false positives | **Low** | [📥 Direct](https://spydisec.com/maliciousips.txt) |\n| **C2 Server IPs Blocklist** | `osintc2feed.txt` | Command-and-Control infrastructure from tracked threat actors | **Low** | [📥 Direct](https://spydisec.com/osintc2feed.txt) |\n\n### 🌐 Domain Blocklists \n| Name | Description | Blocklist URL |\n|-----------------------------------|-----------------------------------------------------------------------------|-------------------------------------------------------------------------|\n| **Spam/Scam Domains** | Phishing, scam, and spam domains | [📥 Direct Link](https://spydisec.com/spamblocklist.txt) |\n| **Malware Domains** | Active malware distribution, C2, and exploit kit domains | [📥 Direct Link](https://spydisec.com/maliciousblocklist.txt) |\n| **Ads \u0026 Tracking Domains** | Aggressive ads, trackers, and analytics domains | [📥 Direct Link](https://spydisec.com/adsblocklist.txt) |\n\n### 📦 Permanent Blocklists \nPersistent threats validated over 6+ months. \n| Name | Description | Blocklist URL |\n|-----------------------------------|-----------------------------------------------------------------------------|-------------------------------------------------------------------------|\n| **Permanent Malicious IPs** | High-confidence IPs with long-term malicious activity | [📥 Raw](https://spydisec.com/permanentMaliciousIPList.txt) |\n| **Permanent Malicious Domains** | Domains linked to persistent campaigns (e.g., ransomware, APTs) | [📥 Raw](https://spydisec.com/permanentMaliciousDomainList.txt) |\n\n### 📁 Whitelisting \n**Reduce false positives using these curated lists:** \n| Name | Purpose | Raw URL |\n|-----------------------------------|-----------------------------------------------------------------------------|-------------------------------------------------------------------------|\n| **Removed IPs** | Legitimate IPs removed from the various IP blocklist | [📥 Raw](https://github.com/spydisec/spydithreatintel/tree/main/iplist/removedips) |\n| **CDN IP Ranges** | Critical infrastructure IPs (Cloudflare, Akamai, Fastly) | [📥 Raw](https://raw.githubusercontent.com/spydisec/spydithreatintel/main/whitelist/cdnips.txt) |\n\n---\n## 🕵️ Tracked Threats \u0026 Source list\n1. Actively monitored infrastructure across 50+ threat actors:\n\u003cdetails\u003e\n\u003csummary\u003e🔍 Expand Threat Catalog\u003c/summary\u003e\n\n| C2s | Malware | Botnets |\n|---------------------------|----------------------------------|--------------|\n| Cobalt Strike | AcidRain Stealer | 7777 |\n| Metasploit Framework | Misha Stealer (AKA Grand Misha) | BlackNET |\n| Covenant | Patriot Stealer | Doxerina |\n| Mythic | RAXNET Bitcoin Stealer | Scarab |\n| Brute Ratel C4 | Titan Stealer | 63256 |\n| Posh | Collector Stealer | Kaiji |\n| Sliver | Mystic Stealer | MooBot |\n| Deimos | Gotham Stealer | Mozi |\n| PANDA | Meduza Stealer | |\n| NimPlant C2 | Quasar RAT | |\n| Havoc C2 | ShadowPad | |\n| Caldera | AsyncRAT | |\n| Empire | DcRat | |\n| Ares | BitRAT | |\n| Hak5 Cloud C2 | DarkComet Trojan | |\n| Pantegana | XtremeRAT Trojan | |\n| Supershell | NanoCore RAT Trojan | |\n| Poseidon C2 | Gh0st RAT Trojan | |\n| Viper C2 | DarkTrack RAT Trojan | |\n| Vshell | njRAT Trojan | |\n| Villain | Remcos Pro RAT Trojan | |\n| Nimplant C2 | Poison Ivy Trojan | |\n| RedGuard C2 | Orcus RAT Trojan | |\n| Oyster C2 | ZeroAccess Trojan | |\n| byob C2 | HOOKBOT Trojan | |\n| | RisePro Stealer | |\n| | NetBus Trojan | |\n| | Bandit Stealer | |\n| | Mint Stealer | |\n| | Mekotio Trojan | |\n| | Gozi Trojan | |\n| | Atlandida Stealer | |\n| | VenomRAT | |\n| | Orcus RAT | |\n| | BlackDolphin | |\n| | Artemis RAT | |\n| | Godzilla Loader | |\n| | Jinx Loader | |\n| | Netpune Loader | |\n| | SpyAgent | |\n| | SpiceRAT | |\n| | Dust RAT | |\n| | Pupy RAT | |\n| | Atomic Stealer | |\n| | Lumma Stealer | |\n| | Serpent Stealer | |\n| | Axile Stealer | |\n| | Vector Stealer | |\n| | Z3us Stealer | |\n| | Rastro Stealer | |\n| | Darkeye Stealer | |\n| | AgniStealer | |\n| | Epsilon Stealer | |\n| | Bahamut Stealer | |\n| | Unam Web Panel / SilentCryptoMiner | |\n| | Vidar Stealer | |\n| | Kraken RAT | |\n| | Bumblebee Loader | |\n| | Viper RAT | |\n| | Spectre Stealer | |\n\u003c/details\u003e\n\n2. **Sources**: 12+ curated feeds including C2 servers, honeypot data, Mass-scanners, and OSINT feeds.\n\n\u003cdetails\u003e\n\u003csummary\u003e📚 View Full Source List\u003c/summary\u003e\n\n| Sources | Source URL |\n|---------------------------|----------------------------------------------------------------------------|\n| C2 IP Feed | [C2_iplist.txt](https://raw.githubusercontent.com/spydisec/spydithreatintel/refs/heads/main/iplist/C2IPs/osintc2feed.txt) |\n| Honeypot Master list | [honeypot_iplist.txt](https://raw.githubusercontent.com/spydisec/spydithreatintel/refs/heads/main/iplist/honeypot/honeypot_extracted_feed.txt) |\n| maltrail_scanners | [maltrail_ips.txt](https://raw.githubusercontent.com/stamparm/maltrail/master/trails/static/mass_scanner.txt) |\n| botvrij_eu | [botvrij_eu](https://www.botvrij.eu/data/ioclist.ip-dst.raw) |\n| feodotracker | [feodotracker](https://feodotracker.abuse.ch/downloads/ipblocklist.txt) |\n| feodotracker_recommended | [feodotracker_recommended](https://feodotracker.abuse.ch/downloads/ipblocklist_recommended.txt) |\n| Blocklist_de_all | [Blocklist_de_all](https://lists.blocklist.de/lists/all.txt) |\n| ThreatView_High_Confidence| [ThreatView_High_Confidence](https://threatview.io/Downloads/IP-High-Confidence-Feed.txt) |\n| IPsumLevel_7 | [IPsumLevel7](https://raw.githubusercontent.com/stamparm/ipsum/refs/heads/master/levels/7.txt) |\n| CINS_Score | [CINS_Score](https://cinsscore.com/list/ci-badguys.txt) |\n| DigitalSide | [DigitalSide](https://osint.digitalside.it/Threat-Intel/lists/latestips.txt) |\n| duggytuxy | [duggytuxy](https://raw.githubusercontent.com/duggytuxy/malicious_ip_addresses/refs/heads/main/botnets_zombies_scanner_spam_ips.txt) |\n| etnetera.cz | [etnetera.cz](https://security.etnetera.cz/feeds/etn_aggressive.txt) |\n| emergingthreats-compromised| [ET_Comp](https://rules.emergingthreats.net/blockrules/compromised-ips.txt) |\n| greensnow.co | [greensnow.co](https://blocklist.greensnow.co/greensnow.txt) |\n| More coming Soon! | [Future Updates](#) |\n\u003c/details\u003e\n\n3. Whitelist CDN Coverage Matrix:\n\n\u003cdetails\u003e\n\u003csummary\u003e View CDN Whitelsit 🛡️\u003c/summary\u003e\n\n| Provider | Type | Coverage |\n|----------------|--------------|--------------------------------------|\n| Cloudflare | CDN IPv4/IPv6 | Global CDN |\n| Akamai | CDN IPv4/IPv6 | Global CDN \u0026 Shield IPs |\n| Fastly | CDN IPv4/IPv6 | Global CDN |\n| Tailscale | DERP \u0026 Control Panel | Relay servers and control plane |\n\u003c/details\u003e\n\n---\n\n## 🙌 Acknowledgements\n**Gratitude to our OSINT partners** \nThis project stands on the shoulders of these valuable resources:\n\n- [Abuse.ch](https://abuse.ch) - Feodo Tracker\n- [Botvrij.eu](https://botvrij.eu) - Threat Intelligence\n- [Blocklist.de](https://blocklist.de) - Attack Data\n- [CINS Army](https://cinsscore.com) - Threat Scoring\n- [DigitalSide](https://osint.digitalside.it) - Italian CERT\n- ...and 10+ other community maintainers\n\n**Special Thanks** to MontySecurity for their C2 Tracker framework.\n\nThe active sources listed contribute to the compilation of block lists but do not have a direct one-to-one correspondence. Each source has its own license; please consult the source files or repositories for details.\n\n---\n\n## 🤝 Community Contributions \n**Build a cleaner, more actionable feed** \nWe welcome contributions to enhance this resource for: \n- **Individuals**: Simplify personal network security \n- **SMBs**: Deploy cost-effective threat blocking \n- **Enterprises**: Integrate scalable threat intelligence \n\n**Key Focus Areas**: \n🔹 **Deduplication**: Help eliminate redundant entries across feeds \n🔹 **Reduce False Positive**: Help eliminate false positive IOCs from the feeds. \n🔹 **Validation**: Flag false positives or outdated indicators \n🔹 **Context**: Add threat actor/geo-tags for better filtering \n🔹 **Automation**: Suggest workflow improvements for data curation \n\n**How to Help**: \n1. Submit verified IOCs via Pull Request \n2. Report duplicate entries in [Issues](https://github.com/spydisec/spydithreatintel/issues)\n3. Report false positive in [Issues](https://github.com/spydisec/spydithreatintel/issues) \n4. Share feedback on enterprise/SMB integration patterns \n5. Improve documentation for non-technical users \n\nAll contributors are acknowledged in our [Credits](https://github.com/spydisec/spydithreatintel/wiki/Contributors). \n\n---\n## 📡 Contact me\n- **E-Mail**: [spyditi@proton.me](mailto:spyditi@proton.me) (PGP: [Key](https://pastebin.com/igL3mGVb))\n\n[![OSINT Powered](https://img.shields.io/badge/Intel-OSINT_Powered-yellow?style=for-the-badge)](#)\n\n---\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fspydisec%2Fspydithreatintel","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fspydisec%2Fspydithreatintel","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fspydisec%2Fspydithreatintel/lists"}